[RESOLVED]NS breaks citi.com with "global allow all" enabled

[jzigns]

After logging in to citi.com Firefox hangs for 30 or 40 seconds after certain actions. It works fine (no delay) if NoScript is disabled or uninstalled, but if NoScript is enabled there are major hangs ("Firefox not responding") even if "global allow all" is enabled.

From the js console:

Code: Select all

A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. OutsideView.do
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. RedirectToCBOL.do:163:3
TelemetryStopwatch: key "FX_PAGE_LOAD_MS" was already initialized TelemetryStopwatch.jsm:52:0
about:blank : Unable to run script because scripts are blocked internally. <unknown>
about:blank : Unable to run script because scripts are blocked internally. <unknown>

There is a lot more in the console, but I keep getting a spam error from the form if I include it all.
Thanks.

[barbaz]

As a test, please try disabling the XSS filter and see if that mitigates the hanging:
NoScript Options > Advanced > XSS, un-check both boxes

If this works we likely need to make an XSS exception, this sticky has details on how that works. We will want to make an exception for origin (the one with @) so that citi isn't opened up to actual XSS.
I would also suggest you install NoRedirect to see exact URLs what's going on and where it hangs, that way you'll know all the URL(s) that needs included in the XSS exception.

If you provide specific URLs (with sensitive data removed!) we'll help you construct the XSS exception.

[barbaz]

There is a lot more in the console, but I keep getting a spam error from the form if I include it all.

Hang on, I missed this part of your post. Any of the messages you couldn't post start with "[NoScript" or "[ABE]"? If so please hold off on the advice in my prior post and PM these messages to a mod (me, GµårÐïåñ, therube, or Thrawn); PMs to forum staff are not spam filtered.
Thanks

[therube]

From the Error Console, generally you're going to want the entries that may reference, [NoScript].

Given how banks break, a lot, of late, going to think you're running into the same deal with citi.com?

Do you notice it trying to load any particular site, like, www.somedumbsite.citi.com - for an extended period of time - just prior or during the hang?

And if you enable full domains, & specifically exclude that particular domain, does the issue subside?

[barbaz]

@jzigns: Got it, thanks.
Nothing there is obviously NoScript related. So please try what I outlined above re: the XSS filter.

[jzigns]

As a test, please try disabling the XSS filter and see if that mitigates the hanging:
NoScript Options > Advanced > XSS, un-check both boxes

Disabling the XSS filter worked. I installed noredirect but don't know how to use it.

[barbaz]

oops Sorry I forgot to post instructions what to do with NoRedirect

Set it up to block all redirects:
Regex: .*
check only "Source"

then delete any pre-existing rules that you think might interfere here

[jzigns]

I accept the following 3 redirects:

https://accountonline.citi.com/cards/sv ... tToCBOL.do

https://online.citi.com/US/JSO/signon/u ... N=VC1MNGOS

https://online.citi.com/US/NCPS/account ... N=VC1MNGOS

After the above redirect is accepted, the page below opens up and hangs for 40 seconds then everything works normally.

https://online.citi.com/US/CBOL/ain/car ... N=VC1MNGOS

[jzigns]

As a test, please try disabling the XSS filter and see if that mitigates the hanging:
NoScript Options > Advanced > XSS, un-check both boxes

I tried unchecking just one box each by itself, but both must be unchecked for it to work properly.

[barbaz]

Under Anti-XSS Protection Exceptions, try adding the following new line:

Code: Select all

^@https://online\.citi\.com/.*/flow\.action\?

Does the site now work with XSS filter enabled?

[jzigns]

Yes, it works! Thanks Barbaz! Is that the final solution?

[barbaz]

Yes it would be in this case because the XSS filter is not actually tripping.

You're welcome!